Closed Tcll closed 4 years ago
The wiki has been replaced by https://docs.voidlinux.org I'm not sure anyone would be interested in officially supporting a script, but documenting this there would be welcome I'm sure
unfortunately void-installer
doesn't seem to support disk encryption like something even as old as Xubuntu 16.04 does...
which is an installer I actually used during my initial endeavors to set up my disk before installing Void (manually clearing the Xubuntu root directory before-hand)
honestly this tutorial doesn't even go as far as I'd like to, as I can only create 1 partition for both boot and root... where as what I'd normally do without encryption is something like what I'm doing on this machine: or to put that more simply [ swap, boot, extended OS and optional data partitions, recovery OS ] (recovery to repair grub among other things without the annoyances of a live image)
I'm sure I could probably get something working if I can encrypt every partition and somehow have grub manage 2 keys for both itself and the OS partition... but I digress, I'm just a noob, I don't build linux distros because I don't have time nor interest the fact I was able to get grub to boot a broken Void install is an achievement in itself.
but the fact that this broken tutorial is all that can be found on the topic for encrypting a void installation is the issue I'm trying to address here.
additional concerns: why do I want to encrypt? well aside from other numerous reasons for such my particular reason is I'm trying to build a router, and don't want to give hackers the ability to simply modify the contents of the drive over WAN as for breaking into the running OS, that's another issue outside the scope of this issue.
just wanted to update while I couldn't get the partition to mount in the Void live image (xfce) I was able to get the partition to mount on the Xubuntu 16.04 live image and am able to modify it's files...
so it looks like this might be an issue with Void's luks support?? maybe a missing package or something??
idk, I'm really not qualified to be working on this stuff I build/mod video games, not linux distros is there anything I can do to get this thing up and running?? honestly, I don't even care if it's just the 1 partition, as long as I can just boot Void off luks, I'll be happy...
it would really help back that agressive BSD security attitude as well ;) yes I know this is Linux, not BSD, but what's the point of claiming to be BSD-like without the attitude to back the claim?
I think you could be missing a dracut module.
oh that makes sense alright I'll look into that, thanks :)
It would be nice to have a good luks guide on the docs.
ok so you could be onto something @Vaelatern
looking in /usr/lib/dracut/
on the partition, I've only found 2 folders with "crypt", 1 with "lvm", nothing with "luks"...
90lvm/
and 91crypt-loop/
could be all I need though
though I want to mention, if gpg is known to be broken and insecure, why is 91crypt-gpg/
not only explicitely included when configured...
that is, if all modules aren't just simply configured by default anyways...
which if that's the case, maybe 91crypt-luks/
is a false expectation??
I'm just applying logic is all :P
EDIT: also on a side note could Void boot without dracut, or is dracut part of what makes Void secure?? Xubuntu doesn't seem to come with dracut, so I'm a bit confused by it... (was thinking I could just copy the module if dracut is a common bootstrapper or something)
EDIT2: according to this dracut is apparently an init program generation utility to make booting faster which the initial thought I get is someone knowledgeable with root access over the net could possibly abuse this to boot a persistent RAT
you would never know about it of course unless you knew how linux worked and took the time to look for it ... or of course found out someone shared or used something from the machine
that 2nd thing actually happened to me on Xubuntu apparently someone got access to an invite link from a program I never shared found out whoopsie was infected, sending out UDP traffic to some random IP (I took care of it of course and no longer have the issue, but I've been skeptical about what hackers can abuse)
if you want more insight, look up Pupy all you need is someone's IP to infect them with (or so I've been told anyways)
ok so after reading up a bit on things
I'm back booted into the dracut shell currently
I can actually run # cryptsetup luksOpen /dev/sda1 voidvm
just fine
so it's mounted, I just need to figure out how to link it to /
and boot it
I can't simply do # mount /dev/sda1 /
because mount /: unknown filesystem type 'crypto_LUKS'.
but aside from that, everything SEEMS fine I SHOULD be able to boot this, but I just need to know how and then what to do to fix this once booted
update GOT IT! according to this all I had to do at the dracut shell was run:
# lvm lvchange -a y voidvm/root
# exit
and now I'm at the void login prompt :)
I'll keep playing with things after installing xfce, lxdm, and such (I prefer to do a network source install because it wipes everything unwanted like pulseaudio and such) I'll edit after rebooting if I end up back at the dracut shell or it boots normally.
buuut at least this confirms my noobness was actually able to write a working installation from a broken tut :)
EDIT: well the first reboot took me back to the shell
and so did the second after running $ dracut --force --regenerate-all
apparently the lvm volume isn't mounting like it's supposed to, so I need to run this every time it boots:
# cryptsetup luksOpen /dev/sda1 voidvm
Enter passphrase for /dev/sda1:
# lvm lvchange -a y voidvm/root
# exit
at least lxdm works properly though and doesn't drop me to a tty like it used to :)
but yeah something's configured wrong in my installation procedure and I'm not sure what...
should the sid
section include the UUID of the root volume rather than the voidvm group??
or is that actually correct and something else is going on??
I literally have no idea what I'm doing :P
Now your dracut shell has all the tools you need, you probably need a configuration change for lvm. I've only once worked with LVM, but it's possible you want a configuration file that informs lvm of its needs.
@Vaelatern I don't think lvm is exactly the problem
I think the problem has to do with the volume.key file not being used as it's supposed to be
thus I have to luksOpen
the volume (which is why dracut can't find it)
just to note I haven't actually changed anything from the OP
the issue I had when starting this thread is the exact same issue I have now
everything works, it just doesn't apply the key
so something's wrong with the installation directions, and I think it has to do with the sed
command:
sed -i '/GRUB_CMDLINE_LINUX_DEFAULT=/s/"$/ rd.auto=1 cryptdevice=UUID=PASTE:lvm&/' /etc/default/grub
I said sip
last time... woops :P
if not that line, then maybe this line isn't working in /etc/dracut.conf.d/10-crypt.conf
?
install_items+=" /boot/volume.key /etc/crypttab "
I don't want to risk screwing something up, which is why I'm asking for someone hopefully knowledgeable
the only thing I've changed from the wiki is the base installation procedure is passed to void-installer
where I've only removed this stuff, since it's all passed onto the installer:
# chown root:root /
# chmod 755 /
# passwd root
# echo voidvm > /etc/hostname
# echo "LANG=en_US.UTF-8" > /etc/locale.conf
# echo "en_US.UTF-8 UTF-8" >> /etc/default/libc-locales
# xbps-reconfigure -f glibc-locales
everything else is pretty much unchanged, except for the for
in 5.sh
that no longer needs mkdir
.
but yeah, something from the wiki is incorrect (aside from the grub minimal console error) that's causing dracut to not mount the volume...
hahahaha, welp, here's something you guys are probably gonna get a kick out of if I had to take a rough guess, I'd assume that all of my problems are caused from using the DE repo.
after following both answers on here
because I was having the invalid cert issue whenever running xbps-install
while I'm sure that just changing the date from Jan 1 2003 would've fixed the invalid cert issue (since that somehow got messed up despite installing from network)
I think the fact I ran an update -Suv
from the US repo, which reconfigured dracut, fixed my issue.
now it asks for a password to mount the partition from initramfs, which is something I think the tut was supposed to solve, because I have to enter the password twice: once for grub once for initramfs
after that, Void starts normally
I also installed zfs and gparted before rebooting, but I don't think those really did anything here
so while this solves the problem, I don't think it solves the issue
would anyone be willing to test my scripts while replacing the DE repo with the US repo in 5.sh
:
xbps-install -Sy -R http://alpha.us.repo.voidlinux.org/current -r /mnt lvm2 cryptsetup
I don't really wanna go through the process again because it's quite cumbersome
especially for the fact you can't run 7.sh
through 9.sh
after running chroot
I don't think you can pack everything into 1 easy shell script unless you can wait for user input.
I'd like to just fix the 2x password entry if I can. >_>
Rant: (read below at your own risk, proceed with caution, I'm a bit triggered)
frankly it's rather disappointing some nobody like me had to come along and point out the void-installer
doesn't support luks after all this time (7 years at least). :srs:
(I'm not sure if the command has been around that long, but luks certainly has)
I also find it a bit disheartening the void-installer
isn't a user-friendly GTK UI, but I can let that one slide...
I understand this when running from the base (no DE) live image, but not for the others like xfce and such which are trivial to create a launcher for, just, no.
why should "BSD-like" have to conform to pathetic elitism where EVERYTHING is done strictly from the terminal.
come on guys, "BSD-like" should be BSD-like (functionality), not elitist-like (aesthetic)
heck even BSD uses a cursor (well, FreeBSD anyways, not OpenBSD)
the fact that BSD mostly uses the terminal is the exception from otherwise not having much support. not the preference of the complacent elitist attitude being "unix is better than posix"
Arch and Gentoo already hold and boast the elitist crowns being bases you can build from, Void boasts BSD-like for no systemd (runit) and higher security, not aesthetics. (just cause I'm a game dev/hacker doesn't mean I don't know my stuff)
I understand Void is a half-dead (abandoned?) distro because the developer has been on hiatus for god knows how long (I'm in a similar boat with my main project because I'm having trouble figuring out anonymous IPC over non-standard pipes in python) but why should that hault the evolution of the distro if so many seem to share the passion of it.
I'm sorry if I offended anyone here I use (and love, if you can't tell) Void because it's touted to be the most secure linux distro especially for that BSD-like attitude behind it I'm disappointed to see it slowly rotting away like this :/
if I had the ability to drop my followers for the projects I'm working on, I would certainly take a crack at working on making security features like HIPS (Comodo AntiVirus for Windows), Tor (Tails), VLAN (BSD), Virtualization (Qubes), and heck maybe even my own network protocol (not TCP/IP based) native to Void heck, maybe even take a crack at forking Void
why just stop at being BSD-like when Void could be better than BSD heck VLAN is already something BSD holds over Linux as it's stupid easy to configure
but anyways, again, I'm sorry if my rant offends anyone it just seems like nobody really wants to put any effort into making Void a decent distro... yes it's gotten better over the years, but how much is there that's still left broken or insecure that's hardly being worked on? I'm just left shouting from the sidelines because I got my own stuff to work on, and can't put any effort towards this distro I share a huge passion for. -.-
I really hope things pick up in the near future
I understand Void is a half-dead (abandoned?) distro because the developer has been on hiatus for god knows how long
Please do not have this attitude. There is no truth behind any of this.
Void is alive, the core team that keeps it that way is also alive.
Do you have issues beyond the poor documentation on the outdated wiki? We do not control the content of the wiki, and no longer recommend it.
By the way, feel free to install gpm
to get mouse usage at your console :)
oh neat at the mouse usage (or terminal cursor) bit I always thought curses was the only thing that could interact with the terminal thanks for that :)
but that wasn't exactly my point... I'm thinking of everyone else I've helped install Void, they're just noobs (yes I'm actually doing a lot behind the scenes to help keep Void alive) ^ I've had to switch a few to Mint or Manjaro because just about everything works where it's otherwise a hassle, but they want to try to install Void later on for it's superior security.
also that bit about being half-dead yeah I don't mean to insult the core team, you guys do an amazing job for what IS done ;)
but for an example of one thing that's left out is 64bit Wine support... I'm not sure if that's been updated though as this was with the 2018 11 11 release I still have the ISO for another thing is Blender 2.8 runs at 0.5FPS because some library is broken... but that's also knowledge as of the 2018 11 11 release and could be fixed in the update (take the link with a grain of salt because I press the blender devs to include the library rather than you guys fixing it) ^ although it IS a "portable" application, so these things should probably be included regardless.
point be made, there's a lot of issues that arise from Void's lack of support (I understand you guys can only do so much, and don't want to push too hard) if there was an actual forum (not a reddit thread), I would've addressed a ton of these issues a long time ago. (a self-hosted forum would also stand behind the BSD attitude)
yeah Void is NOT dead like many claim, there's just a ton that's not up to spec, which is why I say half-dead ;) with that said though, that's where the lack of effort comes in... it just seems like it's on life support...
I really don't want see this distro fall, because there's no other distro I know of that puts this much effort towards actual security (Tails is kinda a joke). unlike most everyone else I see with the same attitude as systemd "well I haven't been hacked yet, so that must mean it's secure" (ignoring all of the issues with it) that's why I'm upset
everyone seems to think of security as keeping a local family member out of your PC nobody addresses keeping everyone else over the internet out of your PC, which is just as important. (backed up by the fact Linux doesn't have HIPS as of yet, not even CAVL provides it, and something like snort only Detects intrusion)
but anyways, thank you for bearing with me on everything. I really hope things pick up where they need to :)
getting back on topic though
I haven't had any issues with either the docs or Void I haven't fixed or worked around so far
but all the issues I've had have mostly been 3rd party...
for example octoxbps can't install anything as gksudo doesn't work
so I just work around that by searching for packages, and then running xbps-install
manually.
or for another example, I need to close the drive tab/window in nemo, or the entire program exits when I unmount a drive.
before I really report anything though, I need to test everything on the update as I'm still running 2018 11 11 on my primary machine... (once I can get my DIY multi-purpose router going (the encrypted machine), I'll be able to work on updating my primary and also this machine I'm typing from)
@the-maldridge why was this closed?
the recent addition is still horrible to follow and doesn't initialize the void installer like 4.sh
above does
it seems it was just copied from the initial tutorial that was already horrible to follow (as it wasn't meant to be followed by users)
(I'm not sure if whatever caused the tutorial to not work has been fixed, but it could at least be made easier to follow)
unless the void installer finally takes care of luks encryption without the need to run cryptsetup or any of that garbage, which would be a valid reason for closing this issue :/
EDIT: if no response or action is made 1 week from now, I'll be creating a new issue in reference to this. I've just checked the downloads, and the current release is still 20191109, which the installer still doesn't support luks so the status of this issue is still unresolved and should not be closed.
ignoring the issue does not resolve the problem ;)
following the installation procedure from the tutorial page resulted in a grub minimal console error after entering the password.
I was able to modify things to where I'd run
void-installer
first before runningxbps-install ... lvm2 cryptsetup
but while that was able to successfully install grub, dracut failed to find/dev/voidvm/root
on bootdracut Warning: /dev/mapper/voidvm-root does not exist
currently I have a set of shell scripts to be run that initializes things following the tutorial in steps (each step requiring user input)
# ./1.sh
:# ./2.sh
:# ./3.sh
:# ./4.sh
:# ./5.sh
:# ./6.sh
:everything below should be temporarily copied to
/mnt
:# ./7.sh
:modify:
# ./8.sh
:# ./9.sh
:and reboot when you're ready
if this could be made more interactive, and the dracut issue actually fixed, it would really help out.